Why the White House Won't Release a Key Cyber Paper

Even as the new government-wide cyber coordinator, Howard Schmidt, pledged to promote transparency as the government moves to protect cyberspace, the administration won't release a legal memorandum that many, including the one-time head of its cyber security review, hoped would be made public.

The memo was drafted as an appendix to the White House
Cyberspace Policy Review led by Melissa Hathaway, at the time the acting
senior director for cyber issues at the National Security Council.
Hathaway has since left the government. She has told colleagues that
the White House overruled her decision to release the legal annex.
Administration officials dispute the idea that it was her decision to
make in the first place.

Speaking at last year's RSA conference,
Hathaway praised the review process for its "unprecedented
transparency." A footnote in the appendix of the main report notes that
the legal analysis was not intended to be of the type that would or
could influence policy. And the report
itself calls for a new interagency legal review team -- the team
that would produce products for internal, executive-branch only
deliberation.

Hathaway, in discussing the review the next week,
expressed enthusiasm about the legal review to an audience of
intelligence professionals and journalists at a conference in Virginia.
Bob Gourley, a former senior intelligence official, blogged
after the event that Hathaway bragged about the comprehensiveness
of the legal review. Gourley noted that the legal annex "captures some
of some of the opinion of federal legal experts from across the
government."

Wednesday, Schmidt announced the
declassification of part of the Comprehensive
National Cyber Initiative, which has been shrouded in secrecy, even
to members of Congress. Even though most of the information has been in
the public domain, the declassification marked a step that the previous
administration was unwilling to take.

A senior administration
official said the legal report would not be released because its
contents are classified. The official cited "national security" as the
reason why the legal annex has not been released, said that the White
House should have been given more credit for declassifying some
information about the CNCI, and said that President Obama is committed
to as much "transparency as possible." Congress has also asked the
White House for a copy of the annex and as of a month ago had not
received it. Schmidt told an audience earlier this week that
administration lawyers are working on about 40 discrete issues.

But
two people who have seen the report say that although it covers
sensitive matters like the legal authority the United States has to
conduct offensive cyber warfare, a minimally redacted version could be
released without compromising any intelligence program or strategy. The
document poses many questions, these people said, and does not
presuppose that the U.S. government has come to any conclusions. For
example, a portion of the document about the laws of war is a
straightforward, academic discussion about how they might or might not
apply to cyber attacks.

According to these people, the report
also includes a rigorous discussion about whether offensive cyber
capabilities are best described as a traditional military activity (and
therefore be subject to Title 10 of the US code) or an intelligence
activity, which would impose a different set of legal requirements upon
whatever action was being considered. The analysis also ponders whether
the U.S. might establish a "first use" doctrine of cyber offense.

The
legal annex includes some discussion about the National Security
Agency's data collection and retention policies, most of which has
already been declassified in other forums by the previous
administration. Among the more sensitive political issues that harass
elected officials is the degree to which the NSA might have to monitor
the dot.com domain in order to fully protect the country from major
cyber attacks. To date, government officials have been reluctant to even
acknowledge that the possibility would ever be discussed, which would
require Congress to change current law.

From the
administration's perspective, because the questions raised in the
analysis were brought forward by lawyers working for intelligence
agencies, releasing the information would provide enemies with an
insight into what capabilities the government might have or might want
to develop.

"As vitally important as openness is, every
organization also needs to have confidentiality around legal
deliberations so that the client can get sound, unvarnished advice from
counsel. That concern is particularly acute in matters of national
security," the official said in an e-mailed statement. "These
deliberations concerned important legal issues facing the cyber review
team, and should remain privileged."

The official would not
say whether the administration planned to discuss the complex legal
issues in public at any point. Aside from offensive cyber warfare, these
issues include the legal implications of the government working with
the private sector, restrictions imposed by the Fourth Amendment, whether
existing statues like the Electronic Communications Privacy Act need to
be expanded.

In 2006, the Justice Department produced an
unclassified white paper on the National Security Agency's surveillance
program that was well received, even as it protected sensitive programs
and even as many legal experts profoundly disagreed with the analysis.
In 2009, it released an unclassified legal memorandum on a sensitive
government program known as Einstein II, which was set up to protect
servers on the dot-gov domain.

In February, at a symposium at
the University of Texas at Austin's law school, a CIA consultant gave
an unclassified speech, which included CIA-approved Power Point slides,
about the difficulties inherent in crafting a comprehensive legal
approach. The consultant, Sean Kanuck, included several slides about the
current questions the U.S. government is wrestling with, including what
type of cyber attack constitutes an act of war, and whether offensive
cyber security actions require the government to take into account the
potential for human suffering on the other side. (Kanuck said at the
time that his presentation was not endorsed by the CIA and that his
discussion did not necessarily reflect any specific internal
deliberations.)

As with the NSA program, the cyber law
terrain triggers extreme sensitivities, with journalists and
commentators worrying about whether the government is planning in secret
to take control of the Internet. They aren't -- but in refusing to open
parts of the issue to public discussion, they are feeding the
uneducated and impoverished public discourse on the subject.

"Why
can't we have a debate about nuclear weapons that it's in the open and
not have that debate about cyber?" said James A. Lewis of the Center for
Strategic and International Studies, who has consulted with the
administration in the past about cyber security issues. "The answer they
give is that we would give our adversaries notice of our red lines.
Well, that assumes the enemies don't know our red lines already."

Thumbnail
image credit: JohnSeb/Flickr

We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.

Marc Ambinder is a contributing editor at TheAtlantic. He is also a senior contributor at Defense One, a contributing editor at GQ, and a regular contributor at The Week.